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statement () 
{ 



if (lookahead == IF) 
{ 

b-expO; 

if (lookahead — THEN) 
{ 

if (lookahead == REJECT) I (lookahead == ACCEPT) 
finish; 

else 

ErrorfREJECT or ACCEPT is expected"); 

else 

ErrorfTHEN is expected"); 
else if (lookahead == REJECT) I (lookahead == ACCEPT) 

actionO; 

else 

b-exp(); 
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<filter> 

<staternent> 

<b-exp>* 

<Iogical-and-exp>* 
<inclusive-or-exp> 

<exc!usive-or-exp> 

<and-exp> 

<equality-exp> 

<rel-exp> 

<shrft-exp> 

<not-exp> 

<operand> 

<action> 

<number-list> 



::=<statement> {;<statement>} 

::=<bnexp> | IF <b-exp> THEN [REJECT|ACCEPT| | <action> 
::=<Iogical-and-exp> | <b-exp> OR <b-exp> 
::=<inclusive-or-exp> | <logica!-and-exp> AND <inclusive-or-exp= 
: : = <excl u srve-or-exp> 

I <inc!usive-or-exp> -|" exclusive-or-exp> 
::=<and-exp> | <exclusive-or-exp> A <and-exp> 
::=<equality-exp> | <and-exp> & <equality-exp> 
::=<rel-exp> | <equa!ity-exp> [ = |! = ] <rel-exp> 
::-<shift-exp> | <rel-exp> [ >= | > | <= | < j < s hift-exp> 
::-<not-exp> | <shfft-exp> [ « | » ] <not-exp> 
::=not <operand> 

::=(<inclustve-or-exp>) | <field> | <constant> 
::=[REJECT|ACCEPT] [SOURCE|DESTINATION] 

[ADDRESS|PORTj GROUP <number-Iist> 
::=<number> {, <number>} 



The above are defined under the assumption that logical-AND, logical-OR can be 
substituted by b,t-wise-AND, bit-wise-OR respectively. Otherwise, the following 
definition will replace the two definitions with *: 9 



<b-exp> 
<Iog-exp-list> 
<log-and-exp-list> 
<log-or-exp-list> 



-<log-exp-list> | (<fog-exp-list>) 
=<log-and-exp-list> | <log-or-exp-list> 
=<inclusfve-or-exp> {AND <inclusive-or-exp>} 
=<inclusive-or-exp> { OR <inclusive-or-exp>} 
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A METHOD OF BUILDING A PACKET FILTER 



TECHNICAL FIELD 

The present invention relates to the field of network management software. 
More specifically, the present invention relates to packet filters utilized in network 
systems. 

BACKGROUND ART 

User-defined Packet Filters are a very powerful feature of networking 
switches. Unfortunately, conventional packet filter building methods are often 
difficult to perform and implement, and also error prone. For example, 
conventional packet building methods require the network manager or other 
individual building the packet filters to be intimately familiar with the basic 
elements(e.g. fields, operators, constands, and the like) used in packet filters. 
Such packet filter building knowledge is extensive. Ln addition, conventional 
packet filter building methods require the network manager or packet filter builder 
to have low-level programming language knowledge and skills because packet 
filters have to be constructed in complex design languages, such as Reverse Polish 
stack-oriented language. Thus the average network manager can not effectively 
build user-defined Packet Filters using conventional packet filter building process. 

1 



User-defined Packet Filters can be used to improve network performance 
and increase network security.. This enables network managers to maximize 
return of investment of very expensive switches. However, due to the 
aforementioned complexity associated with conventional packet filter building, 
many network managers lack the ability and programming expertise to construct 
desired packet filters. Thus, it is wasteful to let such a powerful feature like user- 
defined Packet Filters not be fully utilized, or worse compromising network 
performance and security. 

Accordingly, what is needed is a system and method for building User- 
Defined Packet Filters that is easy and intuitive to use and maintain, not solely 
constructed using complex design language, does not require extensive networking 
knowledge and can be used effectively by average network managers. 



10 



15 



20 



25 



JISCLOSIJRE OF THE fXVEN-TiON.' 

A method and computer system are described herein for packet filter 
building wherein the packet filter not constructed solely using complex design 
languages. The present invention further provides a packet filter building system 
and method which is not error-prone. Furthermore, the present invention provides 
a packet filter building system and method which does not require a highly trained 
programmer for the implementation thereof, and a packet filter building system 
and method which can be effectively and efficiently utilized by a typical network 
manager. 

Specifically, two embodiments of the invention are presented to assist 
users in the construction of a packet filter such that the user is able to build a 
packet filter without being extensively trained in all of the numerous parameters 
involved in packet filter construction. 

In one embodiment, a wizard-type interface guides the users through the 
formation of a packet filter on a step-by-step basis. That is, in such an 
embodiment, the present invention displays tutorial information to the user and 
prompts the user for various information or tells the user how to proceed. Then a 
packet filter is automatically generated at the end. Thus, by employing such a 
wizard-type approach, the present embodiment is able to assist even the most 
novice network manager or other packet filter builder in the creation of desired 
packet filters. 

In another embodiment, the present invention provides a "calculator-type" 
interface for the formation of a packet filter by a more advanced network 
manager or other packet filter builder. In thi.-s embodiment, the user can enter 
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;:<presoior.-basod stale-merits by oithor typing th^m or by clieking'double-cLicking 
desired fields, operators, constants, or pre-built filters. The expression-based 
statements indicate the characteristics of the packet filter which the user wishes 
to build. The present embodiment then converts the expression-based statements 
to the final packet filter in traditional filter builder language. Thus, even in this 
more advanced embodiment, the present invention allows a network manager or 
other packet filter builder to construct a packet filter without being extensively 
trained in or cognizant of all of the various parameters in packet filter 
construction. 

These and other advantages of the present invention will no doubt become 
obvious to those of ordinary skill in the art after having read the following detailed 
description of the preferred embodiments which are illustrated in the various 
drawing figures. 
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t3RIEF DESCRIPTION" OF THE HRau/tv.-.c: 

The accompanying drawings, which are incorporated in and form a part of 
thus specification, illustrate embodiments of the invention and, together with the 
description, serve to ex-plain the principles of the invention: 

FIGURE 1 is a schematic diagram of an exemplary computer system used 
to perform steps of the packet filter builder (PFB) method in accordance with one 
embodiment of the present invention. 

FIGURE 2 is a flow chart of steps performed in accordance with one 
embodiment of the present claimed PFB invention. 



FIGURE 3 is an illustration of one embodiment of a graphical user interface 
provided in accordance with one embodiment of the present claimed PFB 
15 invention. 



FIGURES 4-7 are tables of information used during the building of a packet 
filter including the basic elements (e.g. fields, operators, constants, and the lake) 
used in the building of packet filters. 



FIGURES 8A-8J are frames of information used during the building of a 
packet filter. 



FIGURE 9 is an illustration of one embodiment of a wizard-type graphical 
25 user interface provided in- accordance with one embodiment of the present claimed 
PFB invention for less-advanced packet filter builders. 
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FIGURE 1C ii an illustration of one embodiment of a calculator-typo 
graphical user interface provided in accordance with one embodiment of the 
present claimed PFB invention for more advanced packet filter builders. 

FIGURE 11 is a schematic diagram of the architecture of the 
implementation of Filter Parsing and Conversion utilized in accordance with the 
present claimed invention. 

FIGURE 12 is a schematic diagram of the main classes and methods used 
in Filter Parsing employed in accordance with the present claimed invention. 

FIGURES 13A-13C are flowcharts of the Operator Precedence Parsing 
Algorithm used in the present claimed invention. 

FIGURE 14 is an example of pseudocode demonstrating Predictive Parsing 
Method utilized in accordance with the present claimed invention. 

FIGURE 15 is the Expression-based Language Syntax Definition in BNF 
utilized in accordance with the present claimed invention. 

The drawings referred to in this description should be understood as not 
being drawn to scale except if specifically noted. 



BEST MODE FOR CARRYING OUT THE INVENTION 

Reference will now be made tn detail to the preferred embodiments of the 
invention, examples of which are illustrated in the accompanying drawings. While 
the invention will be described in conjunction with the preferred embodiments, it 
5 will be understood that they are not intended to limit the invention to these 

embodiments. On the contrary, the invention is intended to cover alternatives, 
modifications and equivalents, which may be included within the spirit and scope 
of the invention as defined by the appended claims. Furthermore, in the following 
detailed description of the present invention, numerous specific details are set 
10 forth in order to provide a thorough understanding of the present invention. 
However, it will be obvious to one of ordinary skill in the art that the present 
invention may be practiced without these specific details. In other instances, well 
known methods, procedures, components, and circuits have not been described in 
detail as not to unnecessarily obscure aspects of the present invention. 
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Some portions of the detailed descriptions which follow are presented in 
terms of procedures, logic blocks, processing, and other symbolic representations 
of operations on data bits within a computer memory. These descriptions and 
representations are the means used by those skilled in the data processing arts to 
most effectively convey the substance of their work to others skilled in the art. In 
the present application, a procedure, logic block, process, etc., is conceived to be a 
self-consistent sequence of steps or instructions leading to a desired result. The 
steps are those requiring physical manipulations of physical quantities. Usually, 
though not necessarily, these quantities take the form- of electrical or magnetic 
signals capable of being stored, transferred, combined, compared, and otherwise 
manipulated in a computer system. It has proved convenient at times, principally 



for reasons of common usage, to refer to these signals as bits, values, elements, 
symbols, characters, terms, numbers, or the like. 

It should be borne in mind, however, that all of these and similar terms are 
to be associated with the appropriate physical quantities and are merely 
convenient labels applied to these quantities. Unless specifically stated otherwise 
as apparent from the following discussions, it is appreciated that throughout the 
present invention, discussions utilizing terms such as "determining", "assisting", 
'loading" , "storing" or the lite, refer to the actions and processes of a computer 
system, or similar electronic computing device. The computer system or similar 
electronic computing device manipulates and transforms data represented as 
physical (electronic) quantities within the computer system's registers and 
memories into other data similarly represented as physical quantities within the 
computer system memories or registers or other such information storage, 
transmission, or display devices. The present invention is also well suited to the 
use of other computer systems such as, for example, optical and mechanical 
computers. 



COMPUTER SYSTEM ENVIRONMENT OF 
THE PRESENT PACKET FILTER BUILDER INVENTION 

With reference now to Figure 1, portions of the present automatic packet 
filter builder (PFB) method are comprised of computer-readable and computer- 
executable instructions which reside, for example, in computer-usable media of a 
computer system. Figure 1 illustrates an exemplary computer system 100 used 
to perform the PFB method in accordance with one embodiment of the present 
invention. It is appreciated that system 100 of Figure 1 is exemplary only and 
that the present invention can operate within a number of different computer 
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systems including general purpose networked computer systems, embedded 
computer systems, and stand aJone computer systems specially adapted for 
packet filter building. 

5 System 100 of Figure 1 includes an address/data bus 102 for 

communicating information, and a central processor unit 104 coupled to bus 102 
for processing information and instructions. System 100 also includes data 
storage features such as a computer usable volatile memory 106, e.g. random 
access memory (RAM), coupled to bus 102 for storing information and 
10 instructions for central processor unit 104, computer usable non-volatile memory 
108, e.g. read only memory (ROM), coupled to bus 102 for storing static 
information and instructions for the central processor unit 104, and a data storage 
unit 110 (e.g., a magnetic or optical disk and disk drive) coupled to bus 102 for 
storing information and instructions. A input output signal unit 112 (e.g. a 
15 modem) coupled to bus 102 is also included in system 100 of Figure 1. System 
100 of the present invention also includes an optional alphanumeric input device 
114 including alphanumeric and function keys is coupled to bus 102 for 
communicating information and command selections to central processor unit 
104. System 100 also optionally includes a cursor control device 116 coupled to 
bus 102 for communicating user input information and command selections to 
central processor unit 104. System 100 of the present embodiment also includes 
an optional display device 118 coupled to bus 102 for displaying information. 

Optional display device 118 of Figure 1, utilized with the present PFB 
25 method, may be a liquid crystal device, cathode ray tube, or other display device 
suitable for creating graphic images and alphanumeric characters recognizable to 
a user Optional cursor control device 1 16 allows the computer user to 
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dynamically signal the two dimensional movement of a visible symbol (cursor) on 
a display screen of display device 1 IS. Many implementations of cursor control 
device 116 are known in the art including a trackball, mouse, touch pad, joystick 
or special keys on alphanumeric input device 114 capable of signaling movement 
5 of a given direction or manner of displacement. Alternatively, it will be 
appreciated that a cursor can be directed and/or activated via input from 
alphanumeric input device 114 using special keys and key sequence commands. 
The present invention is also well suited to directing a cursor by other means such 
as, for example, voice commands. A more detailed discussion of the present PFB 
10 method is found below. 



GENERAL DESCRIPTION OF THE PRESENT 
PACKET FILTER BUILDER METHOD 

15 With reference next to Figure 2, an flow chart 200 of exemplary steps used 

by the present PFB method is shown. Flow chart 200 includes processes of the 
present invention which, in one embodiment, are carried out by a processor under 
the control of computer- readable and computer-executable instructions. The 
computer-readable and computer-executable instructions reside, for example, in 

20 data storage features such as computer usable volatile memory 106 and/or 

computer usable non- volatile memory 108 of Figure 1. The computer-readable 
and computer-executable instructions are used to control, for example, the 
operation and functioning of central processing unit 104 of Figure 1. Although 
specific steps are disclosed in the flow chart of Figure 2, such steps are exemplary. 

25 That is, the present invention is well suited to performing various other steps or 
variations of the steps recited in Figure 2. The steps of Figure 2 will be described 
in conjunction with Figures 3-15. 



With reference again to Figure 2. in step 202, a user of the present 
invention determines the initial design of the packet filter to be built. For example 
the network manager or other designer of the packet filter writes down the 
features or functions of the desired packet filter. Although the present 
embodiment specifically recites writing down the features or functions of the 
packet filter to be built, it will be understood that the present invention is well 
suited to a user who does not first write down the features or functions of the 
packet filter to be built. 



In step 204 of Figure 2, the user of the present invention initiates the 
present PFB invention. In the present embodiment, the user initiates the present 
PFB invention by, for example, using cursor control device 116 to select a PFB 
icon displayed on optional display device 118. It will be understood, however, that 
the present invention is well suited to using various other methods to initiate the 
present PFB invention. The present PFB invention provides a graphical user 
interface which guides the user through the creation of the desired packet filter. In 
one embodiment, designed for a more experienced or more highly trained network 
manager, the present invention provides a ••calculator-type" interface. The 
calculator-type interface provided by the present PFB invention will be described 
and illustrated below in detail. In another embodiment, the present invention 
provides a •■wizard-type" interface which guides the user through the formation of 
a packet filter on a step-by-step basis. The wizard-type interface provided in oi 
embodiment the present PFB invention will be described and illustrated below 
detail. 



me 
m 



Referring next to Figure 3, an illustration of the present embodiment of a 
graphical user interface 300 provided by th - present PFB invention ,s shown. 



Thus, in step 204 of the present invention, when the user initiates the present 
PFB, GUI 300 appears, for example, on optional display device 1 18 of Figure 1. 
The present PFB invention utilizes a user-friendly, expression-based language to 
define packet filters. More specifically, each packet filter can be defined in a series 
of if-then statements. In each statement an expression is tested, then a specified 
action (i.e. a "reject" or an "accept") will take place. For example, if the user 
wants to define a filter to discard all Apple talk packets (Phase I and Phase II) 
using the expression-based language, such a packet filter will be defined by the 
present PFB invention in the following manner: 

if (appletaik! or appleTalki!) then reject 
or 

if(appletalkl) then reject; 
if(apptetalkll) then reject. 

15 The present PFB invention translates the user-firiendly if then statement 

into the complex filter building language such that the user's expression-based 

ifthen statements are converted into the requisite complex filter building 

language. As an example, the present PFB invention translates the above listed 

if/then statements into the following filter: 
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pushFieldw 12 
pushLiterai.w 0x809b 



eq 

reject 

25 pushFieldw 12 

pushLiterai.w 1 500 

gt 

accept 

pushFieid.a 16 
30 pushLiteral.a 0x030800C7309b 

n e 

With conventional filter building methods, the above script has to be typed 
exactly as it is. As you can see, it requires extensive networking and programming 
knowledge and skill. And it is easy to make mistakes. However, in the present 
35 PFB invention, such filter script is invisible to the user In so doing, the present 
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invention allows a user to build a desired packet alter using only intuitive if/then 
statements. Numerous, additional examples of such packet filters constructed 
using user-submitted if/then statements are given below in conjunction with step 
212. 

With reference next to Figures 4-7, tables 400-700 of information used 
during the building of a packet filter are shown. More specifically, tables 400-700 
recite the basic elements (e.g. fields, operators, constants, and the like) used in the 
building of packet filters. In conventional packet filter building, the network 
manager, or person building the packet filter, would have to be intimately familiar 
with the information displayed in each of tables 400-700 of Figures 4-7, 
respectively. However, the present PFB invention eurninates the need for the 
network manager or other packet filter builder to be well-versed in such 
information in order to design and build packet filters. That is, the present PFB 
invention lowers the "network knowledge threshold" required to effectively design 
and build packet filters. In so doing, the present PFB invention enables the 
average network manager to build packet filters with the expertise and efficiency 
of a highly trained network programmer. 

Additionally, with reference now to Figures 8A-8J, frames 802-820 of 
information used during the building of a packet filter are shown. As mentioned 
above in connection with Figures 4-7, in conventional packet filter building, the 
network manager, or person building the packet filter, would have W be intimateK 
familiar with the information displayed in each of frames 802-820 of Figures 8A- 
8J. respectively. Thus, as mentioned above, the present PFB invention lowers th 
"network knowledge threshold" required to effectively design and build packet 
filters In so doing, the present PFB invention enables the average network 
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meager to build packet niters with the expertise and efficency of a highly trained 

network progr amine r. 



Referring again to Figure 3, the GUI of the present PFB invention allows 
the user to readily view Filters, Port Groups, and Address Groups, or use the menu 
to create new Filters, Port Groups, and/or Address Groups. As shown in GUI 300 
of Figure 3, a user of the present PFB invention is able to readily access packet 
filter building information, and initiate the packet filter building process. As an 
example, in the present embodiment of GUI 300, the following information can be 
retrieved by selecting either the File, View, Create, or Help: 



Find Filters... To^fbar^ • „ idSifi 

§£tt££2sr s - a ™ Help,n,a 

Address Group... 
Port Group 

It will be understood, however, that the present PFB invention is well suited 
to providing various additional and/or other information in GUI 300. 

With reference nest to step 206, the user of the present invention must 
determine whether the packet filter to be built involves address/port groups. If the 
packet filter to be built does not involve such address/port groups, the present 
PFB invention proceeds to step 212. If the packet filter to be built does involve 
address/port groups, the present invention proceeds to step 208. 

In step 208. the user of the present PFB invention must determine the 
necessary mask number^). The mask number is the bit number in the address 
group mask with which the user would like to associate a particular group. Each 
group takes up one bit of the 32 bits provided for address group administration in 



the present embodiment of the PFB invention. Although 32 bits are provided for 
address group administration in this embodiment, the present invention is well 
suited to providing a different number of bits such as, for example, 64 bits for 
address group administration. In this embodiment of the PFB invention, this 
5 number is limited to the mask bits which have not been assigned on the selected 
slots. Furthermore, in the present embodiment, if an address group is loaded on 
multiple slots, the same bit in the address group mask will be used on each of the 
slots. Also, in this embodiment of the PFB invention, MAC addresses can be 
entered in either canonical, FDDI format, or hexadecimal which will be converted 
10 and displayed in canonical format. 



Referring now to step 210, the present PFB invention then requires the 
user to define the address and port groups. 

15 Referring now to step 212, the user of the present PFB invention defines 

the packet filters to be built. As mentioned above, the present invention allows 
the user to define the packet filters to be built using expression-based if/then 
statements. The present PFB invention translates the user-friendly if then 
statements into a complex filter building language such that the user's expression- 

20 based if/then statements are converted into the requisite complex filter building 
language. However, in the present PFB invention, such conversion is invisible to 
and/or hidden from the user. The following exemplary list recites several 
frequently requested packet filter types, and illustrates how the user's expression- 
based if/then statements are converted into the requisite complex filter building 

25 language. 
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Predefined Packet Filters Provided by the Present PFB Invention 

A. physical' port filtering 

1. Different Port Groups( Reject): 

5 To discard packages of different port group. 
[User Enters] 

iflSPGM & DPGM) = 0 then reject 

[Variables] 
10 reject/accept 

[Packet Filter Language] 

Name "Filter different address group 

pushSPGM 
15 pushDPGM 
and 

pushLiteral. 1 0 
ne 

20 

2. Source/Destination Port Groups: 

To reject packets from port group 3 and 8. 
[User Enters] 

reject source port group 3, 8 

25 

[Variables] 
Source/Destination 
accept/reject 
group(s) 

30 

[Packet Filter Language] 
pushSPGM 

pushLiteral.l 0x0084 

and 

3 5 pushLiteral.l 0 

eq 

B. MAC LAYER FILTERING 

40 

1. Different Address Groups(Reject): 

To discard packages of different address group. 

[User Enters] 

if (SAGM & DAG M; =0 then reject 

45 

[Variables] 
accept/reject 



[Packet Filter Language] 

Name ^Filter different port group" 

pushSAGM 
pushDAGM 
5 and 

pushLiteral.I 0 
ne 

2. Source/Destination Address Groups: 

10 To reject packets from address group 3 and 8. 
[User Enters] 

reject source address group 3, 8 

[Variables] 
15 Source/Destination 
reject/accept 
address group(s) 

[Packet Filter Language] 
20 Name Reject source address group 3,8 n 

pushSAGM 

pushLiteral.I 0x0084 
and 

pushLiteral.I 0 
25 eq 

3. Source Address Filter: 

This filter operates on the source address field of a frame. It rejects packets from 
station 00-DE-AD-00-00-02. 
30 [User Enters] 

iffsaddr = OxOODEAD000002) then reject 

[Variables] 
MAC address 
35 reject/accept 

[Packet Filter Language] 

name w srcAddr_00DEAD0000O2_reject" 
pushField.a 6 # Get the source address 

40 pushLiteral.a OXOODEAD000002 # Load desired address 

ne # Check for a match 

4. Destination Address Filter: 

This filter operates on the destination address field of a frame, it rejects packets 
45 to station 00-De-Ad-00-00-02. 
[User Enters] 

if daddr = OXOODEAD000002) then reject 
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[Variables] 
MAC address 
reject/accept 

[Packet Filter Language] 

name "destAddr_OODEAD000002_reject" 

pushField.a 0 # Get the destination address 

pushLiteral.a 0x0ODEAD000OO2 # Load desired address 

ne # Check for a match 



5. Source OUI: 

This filter operates on the source network address field of a frame. It rejects 
packets from stations with an OUI of 00-DE-AD. 
[User Enters] 
15 iflSOUI = 00-DE-AD) then reject 

[Variables] 
SOUI 

reject/accept 

20 

[Packet Filter Language] 

name a srcAddr_OUI=00DEAD_reject" 

pushField.l 0 # Get the first 4 bytes of the source address 

pushLiteral.l OxfrrfHDO # Setup mask to isolate first 3 bytes 

25 # Top of stack now has OUI 

pushLiteral.1 OxOODEADOO # Load desired OUI value 
n « # Check for a match 



6. Destination OUI: 

This filter operates on the destination network address field of a frame. It rejects 
packets to be forwarded to stations with an OUI of 00-DE-AD. 
[User Enters] 

ifCDOUI = 00-DE-AD) then reject 

35 [Variables] 
SOUI 

reject/accept 

[Packet Filter Language] 

40 name "dstAddr_OUI=00DEAD_reject" 

pushField.l 0 # Get first 4 bytes of d estination address 

pushLiteral.l OxfrHfTOO * Setup mask to isolate first 3 bytes 

a™* # Top of stack now has OUI 

pushLiteral.l OxOOdeadOO » Load desired OUI value 

45 ne # Check for a match 



IS 



7. Multicast Filter: 

This filter operates on the destination address field of a frame. It rejects all 
multicast packets. 
[User Enters] 
5 iildaddr and 0x0 1) = 0x0 1 then accept 

[Variables] 

Accept/reject 

source/destination 

10 

[Packet Filter Language] 

name a dstAddrMulticast_reject" 

pushField.b 0 # Get the first byte of the destination address 

pushLiteralb 0x0 1 # Setup multicast mask 

15 and # Isolate the multicast bit 

pushLiteral.b 0x01 # Setup multicast bit 

ne # Check for a multicast frame 



20 8. Broadcast Filter: 

This filter operates on the destination address field of a frame. It forwards all 
broadcast packets. 
[User Enters] 

ifldaddr = OxfirffiHrffiD then accept 

25 

[Variables] 

accept/reject 

source/destination 

30 [Packet Filter Language] 

name "dstAddrBroadcastJbrward" 
pushField.a 0 # Get the destination address 

pushLiteral.a O xHimu ffrT # Setup broadcast value 

eq # Check for a non-broadcast frame 

35 

9. Ethernet IP: 

This filter operates on the type field of a frame. It allows packets to be forwarded 
that are IP frames. To customize this filter to another type value, change the 
literal value loaded in the pushLiteral.w instruction 
40 [User Enters] 

if (type = ip) then accept 

[Variables] 
Accept/reject 

45 

[Packet Filter Language] 
name "EthernetlPaccept" 
pushField.w 12 tt Get the type field 

pushLiteral.w 0x0800 # Load 'P typ* value 
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eq # Check for a match 

10. "RAW" IEEE 302.3: 
[User Enters] 

5 if Gength < = 1500) then accept 

[Variables] 
accept/reject 

10 [Packet Filter Language] 

name "raw_lEEE802.3" 
pushField.w 12 
pushLiteral.w 1500 

15 

11. Ethernetll IPX: 

This filter operates on the type field of a frame. It allows packets to be forwarded 
that are IpX frames. To customize this filter to another type value, change the 
literal value loaded in the pushLiteral.w instruction. 
20 [User Enters] 

if (type = IPX) then reject 



25 



40 



[V ariables] 
Accept/reject 



[Packet Filter Language] 

name "EthernetII_IPX_reject" 

pushField.w 12 # Get the type field 

pushLiteral.w 0x8137 # Load IPX type value 

30 ne # Check for a match 

12. IEEE 802.2 IPX: 
This filter rejects IPX 802.2 frames. 
[User Enters] 
35 ifIPX802.2 then reject or 

if Csap = OxeOeO) and (ctl = 0x03) then reject 



[Variable] 
Accept/reject 



[Packet Filter Language] 

name "IEEE802.2_reject" 

pushField.l 14 # Get the dsap, ssap, Ctrl field 

pushLiteral.I OxfFffffOO # 

45 and # 

pushLiteral.I 0xaaaa0300 # Load value 

ne * Check for a match 

13. fEEE 802 3 
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This niter rejects IEEE 802.3 frames 

[User Enters] 

if 802.3 then reject 

or 

5 iftsap = Oxaaaa) and tctl = 0x03) then reject 

[Variables] 
Accept/reject 

10 [Packet Filter Language] 

,j , u IEEE802.3_reject" 
pushField.1 14 M n , , , , 

pushLiteral.l OxffiffiOO # he dsap * ssa P- ctrI fi eld 

and 

15 pushUteral.I0xaaaa0300 #Load IEEE802.3 value 

14. rPX 802.3: 

20 mlrEntelT * ^ °° 2 * SNAP 

if 802.3 and netprot = IPX then reject 
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[Variables] 
Accept/reject 



[Packet Filter Language] 

nar i%K w , a IEEE802.3_reject" 
pushField.1 14 * n . , 

pushliteral.l OxfrrrrTOO « e dsap ' ssa P' ctrl field 

!0 and 

pushLiteral.l 0xaaaa0300 #Load IEEE802.3 value 



ne 

accept 



pushField.w 20 » „ oi . f , t , 

pushLiteral.w 0*8137 * fo'afe^e ^ 

15. Apple tali I filter- 

if (type = appletalk) then reject 

(Variable] 
Accept/reject 
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(Packet Filter Language] 
name u AppletalkI 
pushField.w 12 
pushLiteral.w 0x809b 
ne 



reject" 

# Get the type field 

# Load Appletalk type value 

# Check for a match 



16. Appletalk II (appletalk 802.3 snap) Filter: 
This filter rejects appletalkll frames. 
[User Enters] 
if appletalkll then reject 

[Variables] 
Accept/reject 



[Packet Filter Language] 
name "appletalkll 7 



pushField.w 

pushLiteral.w 

eq 

accept 
pushField.a 
pushJLiteral.a 
ne 



14 

Oxaaaa 



16 

0x03080007809b 



# Get the type field 

# 802.3 

# Check for a match 



17. Maximum Length Filter: 

This filter operates on the length field of a frame. It allows packets to be 
forwarded that are less than 400 bytes in length. To customize this filter to 
another length value, change the literal value loaded in the pushLiteral.w 
instruction. 
[User Enters] 

iflXength <== 400) then accept 

[Variables] 
length 

accept/reject 



[Packet Filter Language] 
name "Forward <= 400" 

pushField.w 12 # Get length field 

pushField.w 400 # load length limit 

le 



18. Minimum Length Filter: 

This filter operates on the length field of a frame. It allows packets to be^ 
forwarded that are greater than 900 bytes in length. To customize this filter 
another length value, change the literal value loaded in the pushLiteral.w 
instruction. 
[User Enters] 

iHlength >= 900> then accept 



[Variables! 
length 

accept/reject 

5 

(Packet Filter Language] 
name "Forward >= 900" 

pushField.w 12 # Get length field 

pushField.w 900 # load length limit 

10 ge 

19. FDDI 802.3: 

This filter rejects FDDI IEEE 802.3 frames. 
[User Enters] 
15 LfFDDI_802.3 then reject or 

if (FDD_sap = Oxaaaa) and (FDDI_ctl = 0x03) then reject 
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[Variables] 
Accept/reject 



[Packet Filter Language] 

name a FDDI_802.3_reject" 

pushField.l 12 # Get the dsap- ssap,ctrl field 

pushLiteral.l OxffTfffOO # 
25 and 

pushLiteral.l 0xaaaa0300 #Load IEEES02.3 value 
ne 

20. FDDI IP: 

30 This filter rejects FDDI IEEE 802.3 SNAP frames. 
[User Enters] 

ifFDDI_802.3 and netpro = IP then reject 

35 [Variable] 

Accept/reject 

[Packet Filter Language] 
name a FDDI_IP_reject" 
40 pushField.l 12 # Get the dsap. ssap.ctrl field 

pushliteral.IOxfrrfHOO # 
and 

pushLiteral.l Oxaaaa030O tfLoad IEEE802.3 value 
ne 

45 accept 

pushField.w 18 
pushLiteral.w 0x0800 
ne 
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21. FDDI IPX 802.2: 

This filter rejects FDD! IPX 802.2 frames. 
[User Enters] 

if FDD1_IPX802.2 then reject 
or 

if (sap OxeOeO) and (ctl = 0x03) then reject 

[Variables] 
Accept/reject 



[Packet Filter Language] 

name "FDDI_802.2_reject" 

pushField.l 1 2 # Get the dsap 5 ssap, Ctrl field 

pushliteral.l OxffiffiDO # 
15 and 

pushliteral.l OxeOe00300 # Load value 

ne # Check for a match 

22. FDDI IPx 802.3: 

20 This filter rejects FDDI IPX 802.3 SNAPframes. 
[User Enters] 

if FDDI_802.3 and FDDI_netprot = IPX then reject 

[Variables] 
25 Accept/reject 

[Packet Filter Language] 

name u FDDT_802.3_IPX_reject r ' 

pushField.l 12 # Get the dsap, ssap, ctrl field 

30 pushLiteral.l O^ffiffiDO # 

and # 

pushLiteral. 1 Oxaaaa0300 # Load value 

ne 

accept 

35 pushPield.w 15 

pushLiteral. w 0x8137 
ne 

23. FDDI Appletalk: 

40 This filter rejects FDDI appletalk frames. 
[User Enters] 

if FDDI_802.3 and FDDI_netprot = appletalk then reject 

[Variables! 
45 Accept/reject 

[Packet Filter Language] 

name "FDDI_appletaLk_reject M 

pushField.l 12 $ Get the dsap. ssap, ctrl field 
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pixshLiteral.l OxfEffiSUO 
and 

pushLiteral.l Oxaaaa0300 
ne 

accept 

pushField.w is 
pushLiteral.w 0x809b 
ne 



# Load value 
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15 



20 



25 



30 



35 



40 



45 



C. NETWORK LAYER FILTERING 
1. TCP Filter: 

This filter discards all TCP packets 
[User Enters) 

iflnetprot = 1? and tranprot = TCP) then reject 

[Variables] 
Accept/reject 



[Packet Filter Language] 
name 

pushField.w 
pushLiteraJ.w 
ne 

accept 
pushField.b 
pushLiteral.b 
ne 



12 

0x0800 
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0x06 



M ethIP_TcpOrUdp_ .reject. Dir 

# Get the type field 

# Load TP type value 



# Get the protocol type in IF header 

# Load TCP protocol type 

# Mismatch, accept 



2. UDP Filter: 

This filter discards all UDP packets 
[User Enters] 

iflnetprot = IP and tanprot = UDP) then reject 

[Variables] 
Accept/reject 



[Packet Filter Language] 
name 

pushField.w 12 
pushLiteral.w 0x0800 
ne 

accept 

pushField.b 23 
pushLiteral.b Oxli 
ne 



w ethIPJTcpOrUdp_reject.pfl ! 
# Get the type field 

# Load IP type value 



# Get the protocol type in 1° header 

# Load UDP protocol type 

# Mismatch, accept 
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3. Subnet Directed Broadcast Filter (reject): 

This filter operates on the destination IP address of an IP frame. It discards IP 
(cl ass B with 8 bit subnet) subnet broadcast packets (x.x.x.255). 
[User Enters] 
5 if (IF and field.b.33 = Oxif) then reject 

[Variables] 
Accept/reject 

10 [Packet Filter Language] 

name M EthIP_subnetBcast_reject.pfT 

pushField.w 12 # Get the type field 

pushliteral.w 0x0800 # Load IP type value 
ne 

15 accept 

pushField.b 33 # Get last byte of Dest IP address 

pushLiteral.b Oxff # Load broadcast byte 255 

ne n Mismatch, then forward 

20 4. Filter 6 bytes at byte 56 (forward): 

This filter operates on the 56th byte of a frame. Filters within the first 20 bytes 
are handled differently than the rest of the packet. 
[User Enters] 

if field. a:56 = OxOOcccccccccc then accept 

25 

[Packet Filter Language] 

name a Filt6BytesAtByte56_forwarcT 
pushField.a 56 
pushLiteral.a OxOOcccccccccc 
30 eq 

Hence, the present PFB invention allows the user to enter expression-based 
statements an construct complex packet filters without requiring that the user be 
well- versed in complex and error prone programming languages. Additionally, the 
present PFB invention does not require that the user be extensively trained in or 

35 cognizant of all of the various parameters in packet filter construction. 

Furthermore, although the above-cited examples explicitly recite that the user 
enter an express ion-ba^ed statement, the present invention is also well suited to 
having the user select such statements through various ocher methods. For 
example, the present invention is also well suited to having the user select 

40 statements via pull-down windows, double-clicking on the desired filter type, and 
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the Like. Although such packet filter types are specifically recited above, it will be 
understood that the above-listed packet filter types axe exemplary, and that the 
present invention is well suited to having various other packet filter types. It will 
also be understood that the present PFB invention allows the user to build a 
5 plurality of packet filters if desired. 



Referring next to step 214, the present PFB invention then prompts the 
user to load the stored packet filter. Although such an approach is employed in 
the present embodiment, the present invention is also well suited to automatically 
10 loading the constructed packet filter for the user. In such an embodiment, the 
particulars of the loading of the packet filter are defined, for example, by user 
entered information. 



With reference next to Figure 9, another GUI 1 100 is shown in accordance 
15 with the present claimed invention. In this embodiment, the present invention 

provides a "wizard-type" interface which guides the user through the formation of 
a packet filter on a step-by-step basis. In such an embodiment, the present PFB 
Invention guides the user through the packet filter building method in a step-by- 
step process. That is, in such an embodiment, the present invention displays 
20 tutorial information to the user as shown in GUI 1100. Next, the present 

embodiment of the PFB invention prompts the user for various information or 
tells the user how to proceed. Thus, by employing such a wizard-type approach, 
the present PFB invention is able to assist even the most novice network 
manager or other packet filter builder in the creation of desired packet filters. 

25 

With reference next to Figure 10, another GUI 1200 is shown in accordance 
with the present claimed invention In this embodiment, the present invention 
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provides a "calculator- type" interface for the formation of a packet filter by a 
more advanced network manager or other packet filter builder. In the embodiment 
of Figure 10, the user can select fields, operators, constants or pre-built filters by 
either double clicking on the item in the list box 1202 or operator buttons 1204. 
5 The corresponding text will appear in the editable box 1206, the user can then fill 
in variables. In the present embodiment of the PFB invention, the user can also 
directly enter (e.g. type) in the filter in editable box 1206. Furthermore, in the 
embodiment of Figure 10, the filter name may be any sequence of ASCII 
characters other than quotation marks. The filter name is limited to 32 

10 characters in the present embodiment. However, the present invention is also 
well to allowing the filter to name to be restricted to fewer or greater than 32 
characters. Also, the Verify button 1208 is used for syntax checking of the filter. 
In the present embodiment of the PFB invention, if errors are found the cursor is 
moved to the place where error is found. Furthermore, in the present embodiment, 

15 when the user clicks the OK button 1210, validation of the filters is performed. 

Thus, even in the more advanced embodiment, the present PFB invention allows a 
network manager or other packet filter builder to construct a packet filter without 
being extensively trained in or cognizant of all of the various parameters in packet 
filter construction. 

20 

With reference to Figure 11, a schematic diagram of the architecture of the 
implementation of Filter Parsing and Conversion utilized in accordance with the 
present claimed invention is shown. 

25 With reference to Figure 12, a schematic diagram of the main classes and 

methods used in Filter Parsing employed in accordance with the present claimed 
invention is shnwn. 
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With reference now to Figures 13A-13C, flowcharts of the Operator 
Precedence Parsing Algorithm used in accordance with the present invention are 
shown. These algorithms are used for expressions containing operators except 
logical AND. logical OR. The main advantage of this algorithm is its simplicity & 
efficiency. No need to use recursive-descent method. 

Referring now to Figure 14, an example of pseudocode utilized in accordance 
with the present claimed invention is shown. The pseudocode demonstrates 
Predictive Parsing Method. A predictive parser lS a program consisting of a 
procedure for every nonterminal. Each procedure does two thongs: (i) it decides 
which production to use by looking at the lookahead symbol, and (ii) the procedure 
uses a production by mimicking the right side. A nonterminal results in a call to 
the procedure for the nonterminal, and a token matching the lookahead symbol 
15 results in the next input token being read. If at some point the token in the 
production does not match the lookahead symbol, an error is declared. 



10 



20 



With reference next to Figure 15, an Expression-based Language Syntax 
Definition m BNF utilized in accordance with the present claimed invention. 



The present PFB invention is also well suited to automatically validating 
the syntax of the user-defined packet filters. That is, the present PFB invention 
checks the constructed filters against a syntax diagram to insure that the packet 
filters are valid. 
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Similarly, the present PFB invention is also adapted to optimize the user- 
defined packet filters. That is, some packet filters can be written/built in many 
different ways. The present PFB invention is, however, adapted to analyze the 
constructed packet filters and optimize the structure thereof. 

Thus, the present invention provides a method and computer system for 
packet filter building wherein the packet filter not constructed solely using 
complex design languages. The present invention further provides a packet filter 
building system and method which is not error-prone. Furthermore, the present 
invention provides a packet filter building system and method which does not 
require a highly trained programmer for the implementation thereof, and a packet 
filter building system and method which can be effectively and efficiently utilized 
by a typical network manager. 

The foregoing descriptions of specific embodiments of the present invention 
have been presented for purposes of illustration and description. They are not 
intended to be exhaustive or to limit the invention to the precise forms disclosed, 
and obviously many modifications and variations are possible in light of the above 
teaching. The embodiments were chosen and described in order best to explain the 
principles of the invention and its practical application, to thereby enable others 
skilled in the art best to utilize the invention and various embodiments with 
various modifications suited to the particular use contemplated, [t is intended 
that the scope of the invention be defined by the Claims appended hereto and their 
equivalents. 



CLAIMS 



What is Claims ic 



1. A computer .mplemented method of building a packet filter for a 
networked system, said computer imp.emented method comprising the step of: 

a) generating a graphical user .nterface, said graphical user interface 
adapted to ass.st a user tn the construction of a packet filter such that sa,d user is 
ab.e to buxld packet filter w,thout betng e.xtens.vely tratned i» nu™ 
parameters involved in packet filter construct 



ion. 



2. The computer implemented method as recited m Claim 1 further 
comprising the steps of: 

b) receiving from saad user expression^ statements indicating 
characteristics of said packet filter; 

O converting said expression-based statements to a language suitable for 
the formation of said packet filter; and 
d) creating said packet filter. 

3. The computer implemented method as recited in Claim 1 further 
comprising the step of: 

exporting said packet filter to a file. 

4. The computer implemented method as recited in Claim 1 further 

comprising the step of: 

loading said packet filter onto said networked system. 



5. The computer implemented method as recited in Claim 1 wherein said 
graphical user interface is comprised of a wizard-type graphical user interface. 

6. The computer implemented method as recited in Claim 1 wherein said 
graphical user interface is comprised of a calculator-type graphical user interface. 

7. A computer implemented method of building a packet filter for a 
networked system, said computer implemented method comprising the steps of; 

a) generating a graphical user interface, said graphical user interface 
adapted to assist a user in the construction of a packet filter; said graphical user 
interface adapted to assist said user in the following packet filter formation steps: 

i) determining whether said packet filter involves first 
parameters; 

ii) determining whether said packet filter involves second 
parameters; and 

iii) constructing said packet filter. 

8. The computer implemented method as described in step i) of Claim 7 
wherein said graphical user interface assists said user in deterrmrung whether said 
packet filter involves address groups. 

9. The computer implemented method as described in step ii) of Claim 7 
wherein said graphical user interface assists said user in determining whether said 
packet filter involves port groups. 



10. The computer implemented method as recited in Claim 8 wherein said 
graphical user interface assists said user in defining an address group for said 
packet filter when said packet filter involves address groups. 

11. The computer implemented method as recited in Claim 9 wherein said 
graphical user interface assists said user in defining a port group for said packet 
filter when said packet filter involves port groups. 

12. The computer implemented method as described in step iii) of Claim 7 
wherein said graphical user interface assists said user in constructing said packet 
filter using an expression-based statement. 

13. The computer implemented method as recited in Claim 7 wherein said 
graphical user interface is comprised of a wizard-type graphical user interface. 

14. The computer implemented method as recited in Claim 7 wherein said 
graphical user interface is comprised of a calculator-type graphical user interface. 

15. The computer implemented method as recited in Claim 7 wherein said 
graphical user interface is further adapted to assist said user in exporting said 
packet filter to a file. 

16. The computer implemented method as recited in Claim 7 wherein said 
graphical user interface is further adapted to assist said user in loading said 
packet filter onto said networked svstem. 



17. In a computer system having a processor coupled to a bus, a computer 
readable medium coupled to said bus and having stored therein a computer 
program that when executed by said processor causes said computer system to 
implement a method of assisting a user in the building of a packet filter for a 
networked system, said method comprising the step of: 

a) generating a graphical user interface, said graphical user interface 
adapted to assist a user in the construction of a packet filter such that said user is 
able to build packet filter without being extensively trained in or cognizant of all of 
numerous parameters involved in packet filter construction. 

18. A computer readable memory unit as described in Claim 17 wherein 
said computer implemented method stored on said computer readable medium 
further comprises the steps of: 

b) receiving from said user expression-based statements indicating 
characteristics of said packet filter; 

c) converting said expression-based statements to a language suitable for 
the formation of said packet filter; and 

d) creating said packet filter. 

19. The computer readable memory unit as described in Claim 17 wherein 
said computer implemented method stored on said computer readable medium 
further comprises the step of: 

exporting said packet filter to a file. 

20. The computer readable memory unit as described in Claim 17 wherein 
said computer implemented method stored on said computer readable medium 
further comprises the .step of 



loading said packet filter onto said networked system. 

21. The computer readable memory unit as described in Claim 17 wherein 
said computer implemented method stored on said computer readable medium 
further comprises the step of: 

generating a wizard- type graphical user interface to assist said user in the 
construction of said packet filter. 

22. The computer readable memory unit as described in Claim 17 wherein 
said computer implemented method stored on said computer readable medium 
further comprises the step of: 

generating a calculator- type graphical user interface to assist said user in 
the construction of said packet filter. 

23. A method of building a packet Filter, substantially as described herein, 
with reference to and as illustrated in the accompanying drawings. 
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